| Message ID | 20240126170901.893-1-johan+linaro@kernel.org |
|---|---|
| State | Accepted |
| Commit | 00aab7dcb2267f2aef59447602f34501efe1a07f |
| Headers | show |
| Series | HID: i2c-hid-of: fix NULL-deref on failed power up | expand |
Hi, On Fri, Jan 26, 2024 at 9:10 AM Johan Hovold <johan+linaro@kernel.org> wrote: > > A while back the I2C HID implementation was split in an ACPI and OF > part, but the new OF driver never initialises the client pointer which > is dereferenced on power-up failures. > > Fixes: b33752c30023 ("HID: i2c-hid: Reorganize so ACPI and OF are separate modules") > Cc: stable@vger.kernel.org # 5.12 > Cc: Douglas Anderson <dianders@chromium.org> > Signed-off-by: Johan Hovold <johan+linaro@kernel.org> > --- > drivers/hid/i2c-hid/i2c-hid-of.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/hid/i2c-hid/i2c-hid-of.c b/drivers/hid/i2c-hid/i2c-hid-of.c > index c4e1fa0273c8..8be4d576da77 100644 > --- a/drivers/hid/i2c-hid/i2c-hid-of.c > +++ b/drivers/hid/i2c-hid/i2c-hid-of.c > @@ -87,6 +87,7 @@ static int i2c_hid_of_probe(struct i2c_client *client) > if (!ihid_of) > return -ENOMEM; > > + ihid_of->client = client; Good catch and thanks for the fix. FWIW, I'd be OK w/ Reviewed-by: Douglas Anderson <dianders@chromium.org> That being said, I'd be even happier if you simply removed the "client" from the structure and removed the error printout. regulator_bulk_enable() already prints error messages when a failure happens and thus the error printout is redundant and wastes space. -Doug
On Fri, Jan 26, 2024 at 09:47:23AM -0800, Doug Anderson wrote: > On Fri, Jan 26, 2024 at 9:10 AM Johan Hovold <johan+linaro@kernel.org> wrote: > > A while back the I2C HID implementation was split in an ACPI and OF > > part, but the new OF driver never initialises the client pointer which > > is dereferenced on power-up failures. > Good catch and thanks for the fix. FWIW, I'd be OK w/ > > Reviewed-by: Douglas Anderson <dianders@chromium.org> > > That being said, I'd be even happier if you simply removed the > "client" from the structure and removed the error printout. > regulator_bulk_enable() already prints error messages when a failure > happens and thus the error printout is redundant and wastes space. True, but that error message does not include the device that tried to use the regulator. I actually hit this when adding dev_dbg() to the function in question. For such cases, it's also convenient to have struct device easily accessible so I think it should be ok to just leave this pointer in. Johan
diff --git a/drivers/hid/i2c-hid/i2c-hid-of.c b/drivers/hid/i2c-hid/i2c-hid-of.c index c4e1fa0273c8..8be4d576da77 100644 --- a/drivers/hid/i2c-hid/i2c-hid-of.c +++ b/drivers/hid/i2c-hid/i2c-hid-of.c @@ -87,6 +87,7 @@ static int i2c_hid_of_probe(struct i2c_client *client) if (!ihid_of) return -ENOMEM; + ihid_of->client = client; ihid_of->ops.power_up = i2c_hid_of_power_up; ihid_of->ops.power_down = i2c_hid_of_power_down;
A while back the I2C HID implementation was split in an ACPI and OF part, but the new OF driver never initialises the client pointer which is dereferenced on power-up failures. Fixes: b33752c30023 ("HID: i2c-hid: Reorganize so ACPI and OF are separate modules") Cc: stable@vger.kernel.org # 5.12 Cc: Douglas Anderson <dianders@chromium.org> Signed-off-by: Johan Hovold <johan+linaro@kernel.org> --- drivers/hid/i2c-hid/i2c-hid-of.c | 1 + 1 file changed, 1 insertion(+)